summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2006-12-09 02:58:18 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:16:24 -0500
commit63609fbb04d2ce620338b4b79e7c1abf39f08ef8 (patch)
treec036fe84a97efbee490c470051cf1de360d502d3 /source3/smbd
parent19ddef3dd9065b04896c626e7b4c691c7bbbec53 (diff)
downloadsamba-63609fbb04d2ce620338b4b79e7c1abf39f08ef8.tar.gz
samba-63609fbb04d2ce620338b4b79e7c1abf39f08ef8.tar.bz2
samba-63609fbb04d2ce620338b4b79e7c1abf39f08ef8.zip
r20090: Fix a class of bugs found by James Peach. Ensure
we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/conn.c2
-rw-r--r--source3/smbd/service.c9
2 files changed, 8 insertions, 3 deletions
diff --git a/source3/smbd/conn.c b/source3/smbd/conn.c
index 0b0da589e4..f2c04662a1 100644
--- a/source3/smbd/conn.c
+++ b/source3/smbd/conn.c
@@ -269,7 +269,7 @@ void conn_free_internal(connection_struct *conn)
}
if (conn->ngroups && conn->groups) {
- SAFE_FREE(conn->groups);
+ TALLOC_FREE(conn->groups);
conn->ngroups = 0;
}
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index c2dd062777..62d85cfdd9 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -853,8 +853,13 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
sid_string_static(sid)));
continue;
}
- add_gid_to_array_unique(NULL, gid, &conn->groups,
- &conn->ngroups);
+ if (!add_gid_to_array_unique(NULL, gid, &conn->groups,
+ &conn->ngroups)) {
+ DEBUG(0, ("add_gid_to_array_unique failed\n"));
+ conn_free(conn);
+ *status = NT_STATUS_NO_MEMORY;
+ return NULL;
+ }
}
}